What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

What are the penalties for HIPAA violations?

HIPAA penalties range from $100 to $50,000 per violation (up to $1.5 million per year for identical violations) under a four-tier penalty structure. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years for intentional violations.

Federal law since 1996

HIPAA Security Rule: protecting patient data isn't optional

Q: Who must comply with the HIPAA Security Rule?

Covered entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their business associates who create, receive, maintain, or transmit ePHI.

Q: How often should a HIPAA risk assessment be performed?

While HIPAA does not specify an exact frequency, HHS guidance recommends performing risk assessments regularly — at minimum annually and whenever significant changes occur to your environment, systems, or operations. Most compliance programs conduct annual risk assessments.

Every organization that touches electronic protected health information has to comply with the HIPAA Security Rule. Administrative, physical, and technical safeguards — documented, implemented, and auditable. BlackSheep tracks every requirement and keeps your evidence exam-ready.

Start Free Trial See the safeguards

$249/month · All frameworks included · No credit card to start

Security standards

Safeguard categories

$1.5M

Max penalty per violation type/year

6 yrs

Documentation retention

The five categories of HIPAA safeguards

The Security Rule organizes requirements into administrative, physical, technical, organizational, and documentation safeguards.

Administrative Safeguards

§164.308 · 9 standards

Security management process & risk analysis
Workforce security & access authorization
Security awareness training
Security incident procedures
Contingency planning
Business associate contracts

Physical Safeguards

§164.310 · 4 standards

Facility access controls
Workstation use & security
Device and media controls
Disposal and re-use procedures

Technical Safeguards

§164.312 · 5 standards

Access controls & unique user identification
Audit controls & activity logging
Integrity controls for ePHI
Transmission security & encryption
Authentication of persons or entities

Organizational Requirements

§164.314 · 2 standards

Business associate agreements
Group health plan requirements

Documentation Requirements

§164.316 · 2 standards

Policy and procedure documentation
6-year retention requirement
Availability and update procedures

Does HIPAA apply to your organization?

Covered Entities

Health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. This includes hospitals, clinics, pharmacies, insurers, and any provider that files electronic claims.

Hospitals & health systems
Physician practices & clinics
Health insurance companies
Pharmacies
Healthcare clearinghouses

Business Associates

Any person or entity that performs services for a covered entity involving access to ePHI. This includes IT vendors, cloud providers, billing companies, consultants, and law firms.

EHR/EMR vendors
Cloud hosting providers
Medical billing companies
IT service providers
Consultants with ePHI access

Subcontractors

Business associates of business associates. If you handle ePHI on behalf of someone who handles it for a covered entity, HIPAA applies to you too. The chain of responsibility extends to every link.

Data center operators
SaaS platforms storing ePHI
Managed IT providers
Analytics companies
Destruction & disposal services

Common questions about HIPAA compliance

What's the difference between the Privacy Rule and the Security Rule?

The Privacy Rule governs the use and disclosure of all protected health information (PHI) in any form. The Security Rule specifically addresses electronic PHI (ePHI) and requires administrative, physical, and technical safeguards. BlackSheep focuses on the Security Rule — the technical and operational controls that protect ePHI.

Do we need to encrypt all ePHI?

HIPAA classifies encryption as an 'addressable' specification, not 'required.' But 'addressable' doesn't mean optional — it means you must implement it if reasonable and appropriate, or document why an equivalent alternative is used. In practice, encryption of ePHI at rest and in transit is expected by HHS and is the standard of care.

How often should we conduct a risk assessment?

HHS guidance recommends regular risk assessments — at minimum annually and whenever significant changes occur (new systems, new locations, new vendors, security incidents). Annual risk assessments are the de facto standard for audit readiness.

What counts as a HIPAA breach?

Any unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. There's a presumption that any impermissible use or disclosure is a breach unless you can demonstrate a low probability that the PHI was compromised through a four-factor risk assessment.

What are the HIPAA breach notification requirements?

Individual notification within 60 days of discovery. If 500+ individuals in a state are affected, media notification is required. Breaches affecting 500+ individuals must be reported to HHS immediately; smaller breaches can be reported annually. HITECH strengthened these requirements significantly.

Related frameworks

HITECH Act

Strengthens HIPAA enforcement with breach notification, increased penalties, and business associate liability.

NIST CSF 2.0

HHS references NIST CSF as a framework for implementing HIPAA Security Rule requirements.

CIS Controls v8.1

Actionable security controls that map to HIPAA safeguard requirements.

HIPAA compliance shouldn't live in a spreadsheet

Track every safeguard, document your risk assessment, and maintain audit-ready evidence. BlackSheep maps the entire HIPAA Security Rule so nothing falls through the cracks.

Start Free Trial

$249/month. 30-day money-back guarantee.